9.10. Starburst Kafka Connector#

The Starburst Kafka Connector is an extended version of the Kafka Connector with configuration and usage identical. It includes security improvements, since the default security configuration of the Kafka connector does not use authentication or encryption when connecting to a Kafka service.

SSL Authentication#

With SSL authentication, the Kafka server authenticates the Presto Kafka connector, also called “2-way authentication”. To use SSL add the following configuration to your catalog file.

kafka.security-protocol=SSL

The following configuration properties have to be also set:

Property Name Description
kafka.ssl.truststore.locatfion Location of the SSL truststore file.
kafka.ssl.truststore.password Password to the truststore file.
kafka.ssl.keystore.location Location of the SSL keystore file.
kafka.ssl.keystore.password Password to the keystore file.
kafka.ssl.key.password Password of the private key stored in the keystore file.

Example configuration with SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SSL
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password

Kerberos (SASL) Authentication#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This configuration is using non encrypted (non-encrypted) protocol. To use Kerberos (SASL) protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_PLAINTEXT

The following configuration properties have to be also set:

Property Name Description
kafka.kerberos.client.principal Kafka Kerboros client principal.
kafka.kerberos.client.keytab Kafka Kerberos client keytab location.
kafka.kerberos.config Kerberos service file location. Typically /etc/krb5.conf.
kafka.kerberos.service-name The Kerberos principal name of Kafka service.

Example configuration with SASL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_PLAINTEXT
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka

Kerberos (SASL) Authentication with SSL#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This protocol uses SSL encryption.

To use Kerberos (SASL) with SSL protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_SSL

The following configuration properties have to be also set:

Property Name Description
kafka.kerberos.client.principal Kafka Kerboros client principal.
kafka.kerberos.client.keytab Kafka Kerberos client keytab location.
kafka.kerberos.config Kerberos service file location. Typically /etc/krb5.conf.
kafka.kerberos.service-name The Kerberos principal name of Kafka service.
kafka.ssl.truststore.location Location of the SSL truststore file.
kafka.ssl.truststore.password Password to the truststore file.
kafka.ssl.keystore.location Location of the SSL keystore file.
kafka.ssl.keystore.password Password to the keystore file.
kafka.ssl.key.password Password of the private key stored in the keystore file.

Example configuration with SASL_SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_SSL
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password